Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implement cmpd's PolicyRules #8328

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Conversation

cjc7373
Copy link
Contributor

@cjc7373 cjc7373 commented Oct 24, 2024

Fixes #8310. Things done in this PR:

  • implements cmpd's PolicyRules
  • changes the semantics of serviceAccountName in cluster and component CR. KB now does not create rbac resources if user has specified a service account.
  • serviceaccount is now within a component's level, with a name of kb-<clusterName>-<compName>.

TODO:

  • update pg addon's cmpd policyRule since we removed kubeblocks-patroni-pod-role

@github-actions github-actions bot added the size/XL Denotes a PR that changes 500-999 lines. label Oct 24, 2024
@cjc7373 cjc7373 changed the title feature: implement cmpd's PolicyRules feat: implement cmpd's PolicyRules Oct 24, 2024
Copy link

codecov bot commented Oct 25, 2024

Codecov Report

Attention: Patch coverage is 72.00000% with 28 lines in your changes missing coverage. Please review.

Project coverage is 62.06%. Comparing base (cdd2d01) to head (8c646de).
Report is 15 commits behind head on main.

Files with missing lines Patch % Lines
controllers/apps/transformer_component_rbac.go 75.64% 11 Missing and 8 partials ⚠️
pkg/controller/factory/builder.go 27.27% 8 Missing ⚠️
pkg/controller/component/synthesize_component.go 50.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8328      +/-   ##
==========================================
+ Coverage   61.29%   62.06%   +0.76%     
==========================================
  Files         350      351       +1     
  Lines       41172    41751     +579     
==========================================
+ Hits        25236    25911     +675     
+ Misses      13637    13533     -104     
- Partials     2299     2307       +8     
Flag Coverage Δ
unittests 62.06% <72.00%> (+0.76%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cjc7373 cjc7373 marked this pull request as ready for review October 28, 2024 07:30
@cjc7373 cjc7373 requested review from leon-inf, Y-Rookie and a team as code owners October 28, 2024 07:30
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeblocks-backup-pod-role
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This role is also not needed since relavant code removed in #8203

@apecloud-bot apecloud-bot added the approved PR Approved Test label Oct 31, 2024
@@ -166,33 +164,9 @@ func kindsForWipeOut() ([]client.ObjectList, []client.ObjectList) {

// shouldSkipObjOwnedByComp is used to judge whether the object owned by component should be skipped when deleting the cluster
func shouldSkipObjOwnedByComp(obj client.Object, cluster kbappsv1.Cluster) bool {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove shouldSkipObjOwnedByComp and use isOwnedByComp directly

// If the user has disabled rbac manager or specified comp.Spec.ServiceAccountName, it is now the user's responsibility to
// provide appropriate serviceaccount, roles and rolebindings.
if transCtx.Component.Spec.ServiceAccountName != "" {
return nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if SA is not exist, raise an error?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved PR Approved Test area/user-interaction size/XL Denotes a PR that changes 500-999 lines.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Features] Implement ComponentDefinition's PolicyRules
4 participants